Forum Discussion
Send Filtered Firewall logs directly to Azure Data Explorer rather than Sentinel?
Hi there,
We have a requirement where a customer has Palo Alto firewall which is integrated to Sentinel. The maximum ingestion is coming from "drop" and "end" events/logs. The client want to send these logs directly to Azure Data Explorer rather than sentinel, since sending them to Sentinel will incur excessive cost, also these events add little value interms of security alerting.
Whats the best way to filter and directly send these two categories of logs directly to Azure Data Explorer rather than sentinel? Note: We want to sent other events to sentinel but not the two mentioned above.
Any help will be appreciated.
Thanks
Fahad.
- https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/monitor-azure-data-explorer and then use
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-ingestion-time-transformations to drop the data you dont want into Log Analytics (and Sentinel)- Hi Clive, I looked at the "Add ingestion-time transformation to Azure Monitor Logs using the Azure portal (preview)" solution. It allows to drop the irrelevant logs prior ingestion. However in my scenario we dont want to remove the logs , rather we want to ingestion partial logs and remaining ones to be redirected directly to Azure Data explorer for long term storage. Any idea how we can achieve this?
- As far as I know, you'd have to drop the unnecessary column using transformation into Log Analytics. Then you'd have to drop the others before taking the other stream into ADX. You cant send column A to Log Analytics and Column B to ADX.
Are Basic logs an alternative (if you are happy with the restrictions)? https://docs.microsoft.com/en-us/azure/sentinel/basic-logs-use-cases
Clive_Watson Thanks , it was really helpful, much appreciate your prompt response. I see the solution is currently in preview and I have already requested access to be added in my subscription and now waiting.
Thanks once again for the pointers.
Fahad.
